Should companies be held liable for software flaws?

December 2, 2016
—With more cars and medical devices connecting to the internet, what happens if automakers and health care companies don't start prioritizing digital security?

Many cybersecurity experts worry that faulty code in the so-called Internet of Things (IoT) won't just cause systems to malfunction and freeze. Instead, they say, flaws inside connected cars or pacemakers could lead to serious injury or death.

As a result, leading digital security experts are calling on US policymakers to hold manufacturers liable for software vulnerabilities in their products in an effort to prevent the bugs commonly found in smartphones and desktops from pervading the emerging IoT space.

But can that strategy work? Or will more government regulation stifle innovation?

Those were the big questions at an event Wednesday at the Atlantic Council in Washington. Passcode was a media partner of the event. Here are a few things we learned:

To lay the legal foundation for the Digital Age, policymakers need to start wrapping their minds around the idea that we're living in an era of technology, where everything we depend on is a computer that may be connected to the internet, says cryptographer Bruce Schneier, a fellow at Harvard Law School's Berkman Klein Center for Internet and Society.

"The way to think about the world is that we’re creating technology where everything is a computer," he said. "Your smartphone is a computer that makes calls. Your car is a 100-computer network with an engine. That’s the Internet of Things."

Though the US government hasn't adopted regulations for the burgeoning space, the Obama administration last month released guidelines for IoT devices that called on engineers to build secure features into the design of connected products. That followed a similar strategy from the Department of Homeland Security that said manufacturers should prioritize security features for the most harmful functions that could be breached.

But creating a legal regime that determines who's responsible for security flaws in those computers or software, Mr. Schneier says, will require the country to enact consumer protection laws that can more effectively respond to rapid changes in technology. More safety regulation is needed, he added, because consumers still might buy harmful products if they tend to work well, regardless of the potential dangers to their safety.

"The market can’t fix this because neither the buyer and the seller care," he said. "Until now, we've given programmers the right to code the world that they saw fit. We need to figure out the policy."

2. Data rules everything around you

In the era of big data, companies can measure many digital security metrics, from the cost of cyberattacks to the susceptibility of employees to phishing and other hacking tricks. But there's still not enough data on IoT breaches, because its spread is so new, says John Soughan, who heads up business in the cyberinsurance division at Zurich North America, a Switzerland-based insurance company.

"Right now, there’s not enough data around what are the causes of these breaches, all of the liabilities in there. That’s problematic for insurance companies, because that’s part of the market," he said. "That’s why we're supportive of efforts to collect breach data to make sure we know what the cost of that risk is."

The lack of information on data breaches is also problematic as courts begin to determine how to settle cases where consumers are harmed by internet-connected products. Since there's been few efforts to categorically track the harmful impact of faulty internet-connected products, legal cases against manufacturers are often based on ambiguous threats, which may not be enough to get a ruling – let alone create a precedent for future cases.

What's more, added Wendy Knox Everette, a legal fellow at the technology-focused law firm ZwillGen,"the amorphous threat of some future non-physical harm is not enough for a court to address right now."

3. Learn to live with risk

Even if there is a legal framework for IoT that's designed to protect consumers, people still may need to accept some risk with these types of devices, the experts said.

"We don’t want perfectly unbreakable door locks because they’d be too expensive. We choose to bear that risk," said Eli Dourado, director of the Technology Policy Program at George Mason University's Mercatus Center. "You never get rid of externalities. We’re trying to get to the most efficient result – the least harm."

So to strike a balance between keeping consumers secure and enabling technology to advance, experts say, policymakers would do well to find ways to get the riskiest products off the market.

"The IoT makes people think about software liability," said Ms. Everette. "Instead of being locked inside desktop computers, [software] is now inside physical devices that can now interact with us and possibly harm us... . You can buy knives, but we no longer have lawn darts on the market. That’s a really good way to see how product liability helps you determine your risk."